[libvirt] [PATCH 0/9] Let libvirt manage a bridge's FDB

Laine Stump laine at laine.org
Mon Nov 24 17:48:28 UTC 2014 

The idea behind these patches is the following: 

1) most virtual machines only have a single MAC address behind each
interface, and that MAC address is known by libvirt.

2) If we (i.e. libvirt) manually add an entry to the bridge's
forwarding database (fdb) for the MAC address associated with a port
on the bridge, we can turn off learning and unicast_flooding for that
port.

3) kernels starting with 3.15 (and actually working correctly starting
in kernel 3.17) will notice that all of a bridge's ports have flood
and learning turned off, and in that case will turn off promiscuous
mode on all ports. If all but one of the ports have flood/learning
turned off, then promiscuous will be turned off on that port (and left
on for all the other ports)

4) When (4) can be done, there is a measurable performance
advantage. It can also help security, as it will prevent a guest from
doing anything useful if it changes its MAC address.

Notes:

A) Patches 1-7 are the only ones that I plan to push now, 8 & 9 are
just to simplify tangentially-related code, and I've found a problem
with these during update of a live system, so I won't be pushing
them. You can/should ignore them for now.

B) I don't like the name "promiscLinks", and will probably change it
(maybe to "fdb='managed|auto'), but want to get the other aspects of
these patches reviewed.

C) These only work with a fixed MAC address, and no vlan tags set in
the guest. Support for both of those will be coming.

Laine Stump (9):
  util: new functions for setting bridge and bridge port attributes
  util: functions to manage bridge fdb (forwarding database)
  conf: new network bridge device attribute promiscLinks
  network: save bridge name in ActualNetDef when actualType==network too
  network: store network promiscLinks setting in NetDef actual object
  network: setup bridge devices for promiscLinks='no'
  qemu: setup tap devices for promiscLinks='no'
  qemu: always use virDomainNetGetActualBridgeName to get interface's
    bridge
  lxc: always use virDomainNetGetActualBridgeName to get interface's
    bridge

 docs/formatnetwork.html.in                         |  36 +-
 docs/schemas/network.rng                           |   5 +
 src/conf/domain_conf.c                             | 129 +++++---
 src/conf/domain_conf.h                             |   2 +
 src/conf/network_conf.c                            |  47 ++-
 src/conf/network_conf.h                            |   1 +
 src/libvirt_private.syms                           |   9 +
 src/lxc/lxc_driver.c                               |  32 +-
 src/lxc/lxc_process.c                              |  32 +-
 src/network/bridge_driver.c                        |  66 ++++
 src/qemu/qemu_command.c                            |  51 ++-
 src/qemu/qemu_hotplug.c                            |  60 +---
 src/util/virnetdevbridge.c                         | 364 ++++++++++++++++++++-
 src/util/virnetdevbridge.h                         |  44 ++-
 tests/networkxml2xmlin/host-bridge-no-flood.xml    |   6 +
 .../nat-network-explicit-flood.xml                 |  21 ++
 tests/networkxml2xmlout/host-bridge-no-flood.xml   |   6 +
 .../nat-network-explicit-flood.xml                 |  23 ++
 tests/networkxml2xmltest.c                         |   2 +
 19 files changed, 726 insertions(+), 210 deletions(-)
 create mode 100644 tests/networkxml2xmlin/host-bridge-no-flood.xml
 create mode 100644 tests/networkxml2xmlin/nat-network-explicit-flood.xml
 create mode 100644 tests/networkxml2xmlout/host-bridge-no-flood.xml
 create mode 100644 tests/networkxml2xmlout/nat-network-explicit-flood.xml

-- 
1.9.3

More information about the libvir-list mailing list